[keycloak-user] KeyCloak offline tokens and architecture

Haim Vana haimv at perfectomobile.com
Wed May 18 05:53:25 EDT 2016


Hi,
We are evaluating KeyCloak to be our SSO server, and we have a few questions regarding the offline token usage.
First our high level use case is as follows:
We have multi-tenancy applications, each tenant will have its own realm (which means the same clients will be defined for each realm).
One of the applications has 3 authentication scenarios:
1.    User using SDK flow to access the application (by code)
2.    Offline job
3.    External micro service (not registered in KeyCloak) that needs to access our application micro service
4.    UI login
We thought to use offline token for the first three, and define a single client for UI and micro services.
Does our approach make sense ? specially regarding the realm per tenant and the fact that we will have to create the same clients for each realm,
The offline token usage for the authentication flows, and the single client for the UI and micro service.
Regarding the offline tokens - why are they per client ? is it mean that when using the client offline token (and getting the real token from KeyCloak) we will not be able to use it for other client (within the realm) micro service ?
Also how can we generate them for each of the following cases (also described above):
1.    User - should manually add the token to his code, so we thought to provide it within the application, however how can we generate the offline token to already logged in user ? we would like to avoid generating the offline token to all users and to use separate offline login page.
2.    Offline job - the offline job which is cross realms will use special operator realm, the token will be generated manually by the admin which will stored it in the file system for the offline job usage, how can the admin generate this token ? can it be done in the admin console ? if not I guess we will have to create a service that logs him to the application and generate the token, is there an alternative ?
3.    Micro service - it's very similar flow to the offline job only that the admin will have to create offline token per realm.
I hope it's not too much [https://issues.jboss.org/images/icons/emoticons/smile.png]  and any advice will be highly appreciated.

Thanks,
Haim.

The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160518/586f4484/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 752 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160518/586f4484/attachment.png 


More information about the keycloak-user mailing list